Zero-Day Attacks Thrive for Months Before Disclosure

Zero-day vulnerabilities and exploits dominate headlines and most heated information security discussions. In truth, however, there are relatively few of these attacks hitting a small number of hosts, according to new research on the subject.

Zero-day vulnerabilities and exploits dominate headlines and most heated information security discussions. In truth, however, there are relatively few of these attacks hitting a small number of hosts, according to new research on the subject.

The reason zero days eat up so much bandwidth is because of their effectiveness in compromising targets and avoiding detection. Researchers Leyla Bilge and Tudor Dumitras of Symantec Research Labs looked at period of malware activity on a host of Symantec detection platforms from 2008 to 2011 and quantified the window of exposure organizations face from attacks that are active before vulnerabilities are publicly disclosed.

The 18 attacks they discovered in that three-year timespan lasted anywhere between 19 days and 30 months, an average of 312 days, or 10 months. That means organizations targeted by zero-day malware were likely severely compromised by a variety of malware attacking undisclosed vulnerabilities on a number of platforms.

“For cyber criminals, unpatched vulnerabilities in popular software such as Microsoft Office or Adobe Flash represent a free pass to any target they might wish to attack, from Fortune 500 companies to millions of consumer PCs around the world,” Bilge and Dumitras wrote in a paper “Before We Knew It: An empirical study of zero-day attacks in the real world.”

Not surprisingly, once zero-day vulnerabilities are publicly disclosed, attacks spike up by five orders of magnitude, the researchers said, and most within 30 days of disclosure.

“Cyber criminals watch closely the disclosure of new vulnerabilities in order to start exploiting them which causes a significant risk for end users,” the paper said. 

The researchers said they found 18 zero-day vulnerabilities starting in February 2008 to the end of last year: three in 2008; seven in 2009; six in 2010; and two in 2011. Fifteen of the zero-days targeted fewer than 1,000 hosts, while the other three (Stuxnet and its variants; Conficker and its variants; and a Bloodhound Exploit) infected hundreds of thousands of machines before being detected. They also discovered that patching processes are still lacking in organizations as more than 58 percent of antivirus signatures for these zero-days remain active today, years after disclosure in some cases.

“When disclosed vulnerabilities are left unpatched, this creates an opportunity for cyber criminals to create additional exploits and to conduct attacks on a larger scale; however these attacks can usually be detected by an antivirus program with up-to-date definitions,” the paper said.

The researchers conducted their study based on data gathered by Symantec’s proprietary Worldwide Intelligence Network Environment (WINE), which is fed by hosts running Symantec security products that are opted-in to share data with the network. From this, the researchers extracted two sets of data, antivirus telemetry, which are detections of known threats for which Symantec has a signature available and deployed; and binary reputation data, a report of benign and malicious binaries downloaded on hosts. This included 32 billion reports and 300 million distinct files on 11 million hosts, the paper said.

These data sets were correlated with information from the Open Source Vulnerability Database (OSVDB), Symantec’s Threat Explorer, a representative list of malware observed by Symantec, and a Symantec data set with dynamic analysis results for malware samples, the paper said.

In order to identify zero-day attacks in the wild before public disclosure, Symantec’s researchers built a five-step methodology. The first step was to collect discovery, disclosure and exploit release dates for vulnerabilities given a CVE identifier and then search its Threat Explorer site for threats exploiting these vulnerabilities. This enabled them to map threats to corresponding CVE numbers. Next they mapped threats to exploits and variants by finding exploits detected by each virus signature in the binary reputation data. The third step was to query the dynamic analysis data set for files downloaded after a successful exploitation (hashes), which enabled them to map threats to malicious files. Next, they searched for each executable in the binary reputation data to estimate when it first appeared online; this would identify an attack rather than a successful infection. Finally, comparing the start date of each attack with the disclosure date of the corresponding vulnerability allowed them to determine whether a zero-day attack had been carried out. If at least one hash field was downloaded before disclosure, that indicated an attack.

“It seems that, as long as software will have bugs and the development of exploits for new vulnerabilities will be a profitable activity, we will be exposed to zero-day attacks,” the paper said. “In fact, 60 percent of the zero-day vulnerabilities we identify in our study were not known before, which suggests that there are many more zero-day attacks than previously thought, perhaps more than twice as many.”

Suggested articles


  • PA on

    Great well written article!!!

     This topic is one we in the Intelligence, Cybersecurity, Infosec and Information Assurance arenas have been asking (sometimes begging) that companies do something about. They must update, fix, mitigate (anyway you want to describe it) vulnerabilities and holes!!!

    Business cannot go on as usual wherein companies say "fixes are too expensive” or “it takes too much in the way of resources.” Well to all that I would say, what about the MUCH more expensive fallout of not updating, patching or fixing holes in the network, software, etc???  It is so much more prohibitively expensive that has become a no-brainer to fix these vulnerabilities.

    Currently, there are plenty of software packages out there a firm can acquire to find and fix many of the holes – and some of the fixes are automatic. Secunia is one of those firms that spring to mind (and ‘no,’ I do not have any alliance with that firm but I do use that software at home).

    The results of not fixing these holes can be bankrupting if disclosure of Personally Identifiable Information or HIPAA related or financial or R & D information (among many realms of data) takes place.

    In today’s climate, why wouldn’t many, many more private/public firms jump on fixing holes as soon as their security staff, or any of their employees, bring it up?  It makes no sense why SCADA outfits band together and demand the manufacturers of their equipment come up with more immediate solution. It also makes no sense economically why ISPs don’t implement more cloud based solutions to choke off all the dangerous known (and if possible, predictive) malicious software (malware) and traffic out there BEFORE it clogs up pipes of the Internet (current Internet or Internet II, the reserved Internet) and the massive numbers of servers out there.

    As this article so eloquently states; these Zero-Day (0-Day) attacks don’t just occur on the very first day of the public becoming aware.  These insidious packages of malware reside on people’s PCs at home, in the corporation and in government institutions / agencies for days, weeks and months before they are instructed to cause damage.

    Why can’t we have a national cloud (‘Net) based security platform to interdict malware attacks? We could probably have key router/switching hubs on the ’Net set  up around the country to monitor, detect, block and mitigate malware as the malware enters, travels around and leaves the U.S. Of course it has to be updated in real-time. 

    And signature-based anti-malware is no longer enough – many writers have stated that over the past couple of years. It will to be a layered defense-in-depth approach with, what, maybe – heuristics, AI, fuzzy logic, you name it.  But it has got to be a system of multiple defenses.

    And to make it even better (more effective), it could be linked to other ISPs around the world, say in the U.K., Germany, Philippines and other countries that is willing to collaborate (more) and share information so we can finally start doing better at solving issues of attribution (who did it).

    But maybe someone else has already attempted all this and was shoved under the carpet for whatever reason.

    We need to get a handle on malware – the criminals of the world are not going to stop…

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.